Last week someone posted on the support forum for the WordPress plugin OMGF on the support forum for the plugin on wordpress.org about a claimed security vulnerability in the plugin. A moderator deleted that posting. The plugin hasn’t been updated, so either there wasn’t a vulnerability or the moderator hasn’t made sure it was addressed. So deleting the topic seems problematic.

After being notified of the message about deleting that topic, we checked over the plugin for obvious security issues and we found that the plugin does contain a vulnerability. The vulnerability would allow anyone logged in to WordPress to utilize the plugin’s capability to download fonts. It looks like that could be abused to fill up all the disk space available to the website, by downloading many copies of a font and having them saved in directories with different names. [Read more]